Cisco 2851 - Integrated Services Router User Manual
Integrated services router fips 140-2 non proprietary security policy
Hide thumbs
Also See for 2851 - Integrated Services Router:
- User manual (204 pages) ,
- Introduction manual (186 pages) ,
- Quick start manual (47 pages)
Table of Contents
Advertisement
Quick Links
Cisco 2851 Integrated Services Router FIPS
140-2 Non Proprietary Security Policy
Level 2 Validation
Version 1.3
November 23, 2005
Introduction
This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 2851
Integrated Services Router without an AIM card installed. This security policy describes how the Cisco
2851 Integrated Services Router (Hardware Version: 2851; Firmware Version: 12.3(11)T03) meet the
security requirements of FIPS 140-2, and how to operate the router with on-board crypto enabled in a
secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the
Cisco 2851 Integrated Services Router.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document contains the following sections:
•
•
•
•
•
•
•
•
•
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2005 Cisco Systems, Inc. All rights reserved.
Introduction, page 1
Cisco 2851 Routers, page 2
Secure Operation of the Cisco 2851 Router, page 17
Related Documentation, page 18
Obtaining Documentation, page 19
Documentation Feedback, page 20
Cisco Product Security Overview, page 20
Obtaining Technical Assistance, page 21
Obtaining Additional Publications and Information, page 22
Advertisement
Table of Contents
Related Manuals for Cisco 2851 - Integrated Services Router
Summary of Contents for Cisco 2851 - Integrated Services Router
- Page 1 This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 2851 Integrated Services Router without an AIM card installed. This security policy describes how the Cisco 2851 Integrated Services Router (Hardware Version: 2851; Firmware Version: 12.3(11)T03) meet the security requirements of FIPS 140-2, and how to operate the router with on-board crypto enabled in a secure FIPS 140-2 mode.
-
Page 2: Document Organization
Terminology In this document, the Cisco 2851 router is referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this... - Page 3 V~ 4A 50/6 0 Hz The Cisco 2851 router is a multiple-chip standalone cryptographic module. The router has a processing speed of 450MHz. Depending on configuration, either the internal Safenet chip or the IOS software is used for cryptographic operations.
- Page 4 AIM1 AIM0 The Cisco 2851 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF) drive.
- Page 5 AIM0 not installed Solid Green AIM0 installed and initialized Solid Orange AIM0 installed and initialized error Table 3 describes the meaning of Ethernet LEDs on the rear panel: Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
- Page 6 Data Output Interface HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot 10/100 Ethernet LAN Ports Control Input Interface HWIC Ports Power Switch Console Port Auxiliary Port ENM Slot Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
-
Page 7: Roles And Services
Tamper evident seal will be placed over the card in the drive. Roles and Services Authentication in Cisco 2851 is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. -
Page 8: Physical Security
Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01... -
Page 9: Cryptographic Key Management
Officer. All zeroization consists of overwriting the memory that stored the key. Keys are exchanged and entered electronically or via Internet Key Exchange (IKE). The routers support the following FIPS 140-2 approved algorithm implementations: Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01... -
Page 10: Key Zeroization
The pre-shared key is also used to derive HMAC-SHA-1 key. – The module supports commercially available Diffie-Hellman for key establishment. See the Cisco IOS Reference Guide. All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected by a password. - Page 11 Automatically after IKE encrypt key /AES (plaintext) session terminated. IKE session HMAC- The IKE session authentication key. DRAM Automatically after IKE authentication SHA-1 or (plaintext) session terminated. DES MAC Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
- Page 12 Enable Shared The plaintext password of the CO role. This NVRAM Overwrite with new password Secret password is zeroized by overwriting it with a new (plaintext) password password. Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
- Page 13 Note: An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI/Role/Service Access Policy Security Relevant Data Item PRNG Seed DH private exponent DH public key Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
- Page 14 Note: An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI/Role/Service Access Policy skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt key IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key IPSec encryption key Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
- Page 15 SRDI/Role/Service Access Policy Configuration encryption key Router authentication key PPP Authentication key Router authentication key 2 SSH session key User password Enable password Enable secret RADIUS secret TACACS+ secret Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
- Page 16 Conditional bypass test – Continuous random number generation test – Self-tests performed by Safenet Safenet Self Tests POST tests • AES Known Answer Test – DES Known Answer Test – Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8717-01...
-
Page 17: Initial Setup
– Secure Operation of the Cisco 2851 Router The Cisco 2851 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. -
Page 18: Ipsec Requirements And Cryptographic Algorithms
Note that all users must still authenticate after remote access is granted. Related Documentation For more information about the Cisco 1841 and Cisco 2801 Integrated Services Router, refer to the following documents: Cisco 2800 Series Integrated Services Routers Quick Start Guides •... -
Page 19: Obtaining Documentation
Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available. -
Page 20: Documentation Feedback
Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html... -
Page 21: Obtaining Technical Assistance
Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &... -
Page 22: Submitting A Service Request
Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. - Page 23 Obtaining Additional Publications and Information Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
- Page 24 Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the...